Contact Information

This Month’s Hacking News is Old, But Change Your Passwords Anyway

posted Jun 3, 2016, 11:02 AM by Resty Manapat

Three big numbers came out this month, revealing the
scale of hacks at MySpace, tumblr, and LinkedIn. The good news is that all of
these hacks took place a long time ago, and if your information got out,
chances are you’ve changed your password since then. The bad news is that
there’s no telling how long this information has been public. The worst news of
all? A lot of companies aren’t staying ahead of the game when it comes to
securing passwords stored on their servers, but neither are users when it comes
to picking them.

Several lists of information containing emails, user
names, and passwords went on sale on the seedy underbelly on the internet this
month (price quoted in Bitcoin, of course), and those lists reveal the scale of
some major hacks. Earlier this month, tumblr announced in a blog post that they
became aware of a 2013 breach of their servers recently — we now know that
affected 65 million unique email addresses. Another list of LinkedIn accounts
and passwords stolen in 2012 totaled over 100 million, while a MySpace breach
estimated to have taken place in 2008 or 2009 affected 360 million users.

In the present, this probably doesn’t matter to you. If
you have an account on any of those sites and changed your password at any
point over the intervening years, you’re fine. Considering that tumblr forced
you to change your password if you were affected, that’s one down for sure.
And, chances are your 2008-2009 MySpace page doesn’t exist anymore, at all. The
LinkedIn breach is nasty, but as long as you’re employing good password
practices and changing regularly, you have nothing to worry about.

Instead, this month’s news is partially a sober reminder
of how insecure online accounts are and partially another sober reminder about
how dedicated hackers are to exploiting that insecurity. It’s a pretty good
rule of thumb to assume that what we know is dwarfed by what we don’t know — in
other words, if these are the breaches we know about, imagine how many we
haven’t heard about yet.

And, the arms race is heating up — in none of these three
cases did the companies store unencrypted, plaintext passwords. They were all
hashed, but LinkedIn and MySpace didn’t add salt before hashing — often, a
random string of characters will be added to a user’s password to change the
hash result. All three sites used SHA-1, which is easily exploited because the
same password will always generate the same hash. In other words, ‘password1’
will always generate the same string of characters when it’s encrypted using
SHA-1, allowing hackers to create lists of hashes for commonly used passwords.
At this point, there’s cracking software that can easily do this for all
passwords that use only letters and are fewer than ten characters long, which
is why so many sites require you to use a mix of lowercase, uppercase, numbers,
and special characters. Although tumblr required users to change their
passwords, they did use salt, making their passwords more secure and harder to
crack.

It’s all a bit confusing, but if there’s one takeaway,
it’s that making passwords with a mix of lowercase letters, uppercase letters,
numbers, and special characters is like being told to eat your vegetables as a
kid — you might not want to do it, but your parents aren’t lying when they say
it’s good for you. We can (and should, and will) harp on companies to improve
their data security, but hackers will keep improving their techniques, too — there’s
only so much companies can do, especially when hundreds of thousands of users
are still using password1 (or at least were in 2008).

As always, if you’re worried you’ve been the victim of a
hack, you can check Have I Been Pwned to see for sure.

Please consult an attorney for advice about your individual situation. This site and its information is not legal advice, nor is it intended to be. Feel free to get in touch by electronic mail, letters or phone calls, please withhold from sending any confidential information to us.